Friday, October 29, 2010

"Snap a photo of a sunset with your iPhone and you can upload it to Twitter with a few clicks.

But your smartphone might be transmitting more than a pretty photograph. It could be collecting and storing data about your real-time location – and then broadcasting that information when you upload photos onto the Internet...

InCybercasing the Joint: On the Privacy Implications of Geotagging, two researchers from the University of California Berkeley investigated how different websites incorporate geotagged media. By examining photos and videos on Flickr, Craigslist and Youtube, they found 1.3% to 4.3% of uploaded media included embedded location data. Not surprisingly, they found geotagged photos and videos were most often captured through high-end cameras and smartphones (rather than basic cell phones)."

Monday, October 25, 2010

In the weeks before the New Hampshire primary last month, Linda Twombly of Nashua says she was peppered with online ads for Republican Senate hopeful Jim Bender.

It was no accident. An online tracking company called RapLeaf Inc. had correctly identified her as a conservative who is interested in Republican politics, has an interest in the Bible and contributes to political and environmental causes. Mrs. Twombly's profile is part of RapLeaf's rich trove of data, garnered from a variety of sources and which both political parties have tapped.

A company called RapLeaf is building databases on people by tapping voter-registration files, shopping histories, social-networking activities and real estate records. WSJ's Emily Steel and Julia Angwin join the Digits show to discuss which sites are using RapLeaf, and what web users can do to try to protect their privacy.

The market for data about Web users is hot-and one of the methods used is "scraping," harvesting online conversations. In May, Nielsen scraped private forums where patients discuss illnesses. How can web users prevent their data from being scraped? Julia Angwin joins Digits to discuss.

RapLeaf knows even more about Mrs. Twombly and millions of other Americans: their real names and email addresses.

This makes RapLeaf a rare breed. Rival tracking companies also gather minute detail on individual Americans: They know a tremendous amount about what you do. But most trackers either can't or won't keep the ultimate piece of personal information—your name—in their databases. The industry often cites this layer of anonymity as a reason online tracking shouldn't be considered intrusive.

RapLeaf says it never discloses people's names to clients for online advertising. But possessing real names means RapLeaf can build extraordinarily intimate databases on people by tapping voter-registration files, shopping histories, social-networking activities and real estate records, among other things.

"Holy smokes," says Mrs. Twombly, 67 years old, after The Wall Street Journal decoded the information in RapLeaf's file on her. "It is like a watchdog is watching me, and it is not good."

Some early adopters of the service are political campaigns. Democratic political consultant Chris Lehane used RapLeaf in a successful campaign against Proposition 17 in California, which would have changed the way auto-insurance rates are set in the state.

RapLeaf ranks among the most sophisticated players in the fast-growing business of profiling people online and trading in personal details of their lives, an industry that is the focus of a Journal investigation. The San Francisco startup says it has 1 billion e-mail addresses in its database.

RapLeaf acknowledges collecting names. It says it doesn't include Web-browsing behavior in its database, and it strips out names, email addresses and other personally identifiable data from profiles before selling them for online advertising.

Nevertheless, the Journal found that, in certain circumstances, RapLeaf had transmitted identifying details about Mrs. Twombly—such as a unique Facebook ID number, which can be linked back to a person's real name—to at least 12 companies. The Journal also found RapLeaf had transmitted a unique MySpace ID number (which is sometimes linked to a person's real name), to six companies. MySpace is owned by News Corp., which publishes the Journal.

RapLeaf says its transmission of Facebook and MySpace IDs was inadvertent and the practice was ended after the Journal brought it to the company's attention. The company says people can permanently opt out of its services at RapLeaf.com.

Access thousands of business sources not available on the free web.

Learn More

RapLeaf executives say their business offers valuable consumer benefits by allowing people to see relevant advertising and content. "The key goal of RapLeaf is to build a more personalizable world for people," says RapLeaf CEO Auren Hoffman. "We think a more personalizable world is a better world."

When a person logs in to certain sites, the sites send identifying information to RapLeaf, which looks up that person in its database of email addresses.

Then, RapLeaf installs a "cookie," a small text file, on the person's computer containing details about the individual (minus name and other identifiable facts). Sites where this happened include e-card provider Pingg.com, advice portal About.com and picture service TwitPic.com.

In some cases, RapLeaf also transmits data about the person to advertising companies it partners with.

Data gathered and sold by RapLeaf can be very specific. According to documents reviewed by the Journal, RapLeaf's segments recently included a person's household income range, age range, political leaning, and gender and age of children in the household, as well as interests in topics including religion, the Bible, gambling, tobacco, adult entertainment and "get rich quick" offers. In all, RapLeaf segmented people into more than 400 categories, the documents indicated.

RapLeaf's privacy policy states it won't "collect or work with sensitive data on children, health or medical conditions, sexual preferences, financial account information or religious beliefs."

After the Journal asked RapLeaf whether some of its profile segments contradicted its privacy policy, the company eliminated many of those segments. Segments eliminated include: interest in the Bible, Hispanic and Asian ethnic products, gambling, tobacco, adult entertainment, "get rich quick" offers and age and gender of children in household.

RapLeaf says many of its segments are also "used widely by the direct-marketing industry today."

In this year's hotly contested midterm elections, some political organizations are tapping RapLeaf's technology. With traditional postal mailing lists, "We used to bombard their house with mail. Now we can bombard their house with online ads," says Robert Willington, the Republican online campaign strategist who worked on behalf of Mr. Bender's New Hampshire campaign.

In Mr. Lehane's California effort against Proposition 17 this year, RapLeaf found online about 200,000 suburban women over the age of 40 in Southern California, a demographic the campaign considered swing voters.

Mr. Lehane says the 4-percentage-point margin of defeat suggested the technology was effective. "With an election that close, every voter you can reach matters," he says.

Mr. Lehane says he was considering using RapLeaf as part of a campaign against Meg Whitman, who is running for governor in California. That campaign is being run by a political group, Level the Playing Field 2010, which was funded by several labor unions and which Mr. Lehane led.

RapLeaf says it has participated in about 10 campaigns this season, declining to identify them. "We expect that forward-thinking campaigns will begin to use it this year more widely as an alternative to direct mail, email and phone calls," says Joel Jewitt, RapLeaf's vice president of business development.

Co-founded in 2006 by Mr. Hoffman, a Silicon Valley entrepreneur, RapLeaf began as an online service letting people rate each other based on their business transactions.

The company raised an initial $1 million in funding from well-known Silicon Valley investors including PayPal co-founder and Facebook investor Peter Thiel. A person familiar with the situation says the company closed a $15 million fund-raising round this month.

Soon after it was founded, RapLeaf began "scraping"—or collecting information from—social networks to build a people search engine. It matched data from social-networking profiles with email addresses. RapLeaf says data it collects are public. It sold a service giving companies information about the customers on their e-mail lists.

By 2009, RapLeaf had indexed more than 600 million unique email addresses, it said in a press release that year, and was adding more at a rate of 35 million per month. Meanwhile, the business of helping marketers with their email lists (RapLeaf's core) was lagging in the recession. And the online-tracking business was taking off.

Data From 'What They Know'

The Wall Street Journal analyzed the tracking files installed on people's computers by the 50 most popular websites, plus WSJ.com. Explore the data here and see separate analysis of the files on popular children's sites.

RapLeaf's Mr. Jewitt says the company saw an opportunity: It decided to connect its database of dossiers on people to cookies placed on those same individuals' computers, for ad targeting. "If you are a modern information company, you have to be involved in that," he says.

Combining off-line profiles with online tracking has raised red flags ever since another company first tried it 10 years ago. Privacy advocates argued that connecting people's Web-browsing habits with their names was too intrusive.

RapLeaf says it doesn't share or sell emails. However, under some circumstances it will provide names and other personal details if a client already possesses that person's email address.

For example, a company might come to RapLeaf with an email-address mailing list, and RapLeaf will try to provide information about the people on that list. This year, RapLeaf began offering services to target these people with online ads for the client.

For that to work, RapLeaf relies on a network of cooperating websites that use email addresses as part of the sign-on process. Those sites agree to transmit their users' email addresses (in encrypted form) to RapLeaf. Then, RapLeaf "drops," or installs, cookies on users' computers.

It's tough to build up a network of such sites, because many don't want to let outsiders track their visitors. This summer, RapLeaf sent a marketing email offering to pay one website an unspecified sum for this kind of access, according to documents reviewed by the Journal. The website chose not to take the offer.

RapLeaf declined to name the sites it works with, citing nondisclosure agreements. The Journal found that sites installing RapLeaf cookies included About.com, owned by the New York Times Co.; online invitation site Pingg.com; photo-sharing sites TwitPic.com and Plixi.com; movie site Flixster.com; discount site Tester-Rewards.com; and some Facebook.com and MySpace.com applications.

The Journal last week reported on the Facebook and MySpace apps sending data to RapLeaf. Both sites say they prohibit applications from sharing user data with outside data companies, and that they took steps to stop the apps that were transmitting user data to RapLeaf.

A Facebook spokesman says the company is acting to "dramatically limit" the exposure of users' personal information. Facebook says the user ID allows access only to information that Facebook requires people to make public in their profile.

After receiving user IDs from some MySpace and Facebook apps, RapLeaf was then transmitting data about users to its advertising partners. After being contacted by the Journal, RapLeaf says it "acted immediately" to strip out identifying information from the data it shared with partners.

An About.com spokeswoman says the company doesn't have a relationship with RapLeaf. She says users' information was sent to RapLeaf via a partner that operates on its site, and that About.com wasn't aware its users' email addresses were being sent to RapLeaf.

Plixi.com says the company is "in experiment mode right now with behavioral-targeting companies like RapLeaf." Flixster.com says it "does not sell any of our users' personal information to anyone" and declined to comment further.

Pingg.com declined to comment. TwitPic and Tester-Rewards didn't respond to requests for comment.

The Journal decoded RapLeaf's information on Gordon McCormack Jr., a 52-year-old who lives in Ashland, N.H. RapLeaf correctly identified Mr. McCormack's income range, number of cars (one), his interests in gardening and the Beatles, and his interest in playing the online game Mafia Wars, among other topics.

Mr. McCormack says he plays Mafia Wars almost every day before going to bed.

RapLeaf also identified Mr. McCormack as someone with an interest in online personals. He says he isn't currently active in online dating, but might have a couple of profiles "lurking on the Internet."

When Mrs. Twombly, the New Hampshire Republican, registered at Pingg.com using her email address, RapLeaf matched her to dozens of "segments," according to a Journal analysis of the computer code transmitted while she was on the site.

The Journal was able to decode 26 of the segments, including her income range and age range and the fact that she is interested in the Bible and in cooking, crafts, rural farming and wildlife. Mrs. Twombly says all the decoded segments describe her accurately.

RapLeaf says some of the segments in Mrs. Twombly's and Mr. McCormack's profiles "do not exist," possibly due to changes in RapLeaf's overall segment list in the time since their web traffic was decoded for this article last month.

In Mrs. Twombly's case, RapLeaf transmitted data about her to at least 23 data and advertising companies after she logged into Pingg, according to the analysis of the computer code.

Twenty-two companies, including Google's Invite Media, confirmed receiving data from RapLeaf. RapLeaf declined to comment on its relationships with the companies.

Since talking with the Journal, Mrs. Twombly tweaked her Web browser to limit cookie installation. As a result, she says, some websites don't always work properly for her, a common side effect of restricting cookies.

Mrs. Twombly also removed applications from her Facebook profile that were transmitting data to RapLeaf, the Best Friends Gifts and Colorful Butterflies apps. The maker of those apps, Lolapps Media Inc., says it stopped working with RapLeaf.

Still, Mrs. Twombly is no longer using those apps to send virtual gifts and butterflies to her online friends. "My neighbor did send me a hug or a rainbow or a heart or something like that, but I didn't respond," Mrs. Twombly says. "Once burned, twice shy."

Thursday, October 14, 2010

Patient confidentially used to be a simple concept, simply enforced. Healthcare workers, for the most part, knew not to poke their nose in the records room or gossip about patients' medical issues. Privacy breaches, when they occurred, could be contained.

Along came electronic medical records, Internet social sites like Twitter and Facebook, and hackers. These newfangled online outlets provide—literally and in an instant—global access to patients' medical records, which makes breaches a lot more serious and enforcement a lot tougher.

"Patient information is like radioactive material," says Arthur R. Derse, MD, director of the Center for Bioethics and Medical Humanities at the Medical College of Wisconsin in Milwaukee. "It must be protected. It must be contained. It cannot be taken out of the building, sent out of the building, or looked at inappropriately if the employee is not permitted to access it.

"The problem is students and employees and younger folks coming into work think of Facebook and Twitter as something you do. Just as you shouldn't be saying anything about patients on the telephone, you shouldn't be Twittering or Facebooking about work," Derse says.

Fortunately, the concept of patient confidentiality has remained as simple now as it was in the time of Hippocrates. Rather than devising detailed, multilayered responses to every new social networking outlet that pops up every few months, effective patient confidentiality guidelines should identify the new threats but focus on instilling that simple and ancient principle with trustworthy employees.

Pamela Paulk, vice president of human resources at Johns Hopkins Hospital and Johns Hopkins Health System, says the Baltimore-based health system's confidentiality guidelines are based upon trust. "We really do believe that our employees are going to do the right thing," Paulk says. "Our guidelines say that everybody has gone through HIPAA training and signed their confidentiality agreements. We say that extends to social media, anything that would apply at work applies on social media. That is basically the guidelines."

The popular notion of breaking patient confidentiality usually involves simple curiosity about celebrity patients or patients with unusual—perhaps embarrassing—medical issues. That's a black-and-white issue. Good employees know better than to breach that confidence.

There are gray areas, however: healthcare workers with good intentions, raising legitimate concerns about patient safety, care quality, or the competence of colleagues; physicians consulting with colleagues over the Internet. Everyone must be aware of the privacy pitfalls inherent in social media.

Derse says healthcare workers don't have to post concerns about safety or competence on the Internet, because there are plenty of legitimate outlets.

"Having the ability to complain about somebody's performance if they feel it is dangerous or substandard is something that is very important, but you don't have the right to complain to the general public," he says. "You have the right to complain to people who can actually address the problem."

Derse says hospitals should have in place policies that encourage and facilitate reporting bad behavior, and that protect whistleblowers from retaliation. If not, he says, employees can take their complaints to their local medical professions boards.

Paulk says Johns Hopkins has an "absolute rule that anybody can stop the 'assembly line' if they think something is wrong. They are able and encouraged to speak up." That culture of safety encourages staff to report issues to supervisors on an in-house database, or to an anonymous hotline. "We have all different avenues," she says.

And what about healthcare workers who use an Internet site to complain about the workplace? When does an employee's freedom of speech run up against a healthcare institution's need to defend its good name?

"One solution is to have a policy that says, 'We don't want you to discuss anything about the business on the Internet,'" Derse says. "If they said, 'We don't want you to discuss politics,' that would be a difficult and legally problematic stand. But employers do have a certain amount of control over employees if someone is negatively commenting on the institution where they work."

Paulk says she is not aware of Johns Hopkins Health employees using social network sites to kvetch about work, and said the health system has no plans to regulate it, even if it could. "If they did, we couldn't discipline them for that unless it were a patient privacy violation. But if it came to our attention that they are talking about a colleague or someone by name, from an HR perspective, we would handle it just like in the workplace. If it were two workers who were causing tension in the workplace, we would try to address their concerns," she says.

For Paulk, it all comes back to common sense and trust. "This is a tough new world that we are living in," she says. "I just hope people don't get in the business of hiring social media police. But if you don't trust your people, you've got a whole other problem."

Tuesday, October 12, 2010

In the year since the breach notification rule for personal health records took effect, no major breaches affecting 500 or more individuals have been reported, according to the Federal Trade Commission.

A personal health record is an "electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for the individual," according to the FTC.

Last year, the FTC issued a PHR breach notification rule, as called for under the HITECH Act. Under the rule, which took effect Sept. 24, 2009, major breaches must be reported to the FTC within 10 business days. PHR vendors, and certain companies with which they do business, must report any size breach to the individuals affected within 60 days. But they only have to report the smaller incidents to the FTC annually, 60 days after the start of the calendar year.

Incidents ListedThe FTC has posted a list of 13 incidentsaffecting 15 individuals in 2009. All were reported by Microsoft Corp., which offers the HealtVault PHR platform. Each case involved lost or stolen credentials, and none of the cases involved is known to have resulted in inappropriate use of patient information, says Cora Han, attorney in the division of privacy and identity protection in the FTC's bureau of consumer protection.

The FTC's breach notification rule requires reporting of incidents involving unauthorized acquisition of unencrypted PHR information that contains personal identifiers. "Microsoft did this proactively," Han says of the company's reports of the incidents, which could potentially lead to breaches. "They were not reported as cases where accounts had been breached."

The 13 HealthVault cases posted on the FTC site are the only reports the agency received regarding smaller PHR security incidents in 2009, Han confirms. In all but one case, individual PHR users reported the lost or stolen credentials to Microsoft, she says. In the other, Microsoft discovered three individuals' credentials had been lost or stolen.

The FTC waited until now to post information about the incidents because it was waiting to see how much information on breaches it received, Han says. The FTC does not have an official schedule for updating the list of incidents, but likely will do so every few months if new information becomes available, she adds.

Personal health records are regulated under the HIPAA privacy and security rules only if they are offered by a "covered entity," such as a hospital or physician group.

Covered entities and their business associates must report breaches of all types of electronic or paper patient records affecting 500 or more individuals to the Health and Human Services' Office for Civil Rights within 60 days. Since the breach notification rule for covered entities went into effect last September, 181 major breach incidents affecting 4.9 million individuals have been reported to the Office for Civil Rights.

PHR Report OverdueFederal officials are still months away from submitting an overdue report to Congress on privacy and security requirements for personal health records vendors.

Section 13421 of the HITECH Act called for HHS, in collaboration with the FTC, to submit a report by last February on the requirements for PHR vendors and others not covered by HIPAA. But the report has been delayed while the HHS Office of the National Coordinator for Health Information Technology worked on other projects, says Joy Pritts, ONC's chief privacy officer. She expects the report to be completed early in 2011.

On Dec. 3, ONC will host a day-long roundtable event in Washington on PHRs to gather information to use in preparing the report.

Based on the recommendations in the report, new regulations might be proposed or Congressional action might be requested, Pritts adds. §Only Incidents Listed Are Lost or Stolen CredentialsOctober 11, 2010 - Howard Anderson, Managing Editor, HealthcareInfoSecurity.comIn written testimony prepared for a Congressional hearing held Sept. 30, Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, called for stronger protection of personal health records, but not through HIPAA. She said that the Markle Foundation's Common Framework for Networked Personal Health Information would provide a good starting point.

It was a break-in. A new member of the site, using sophisticated software, was "scraping," or copying, every single message off PatientsLikeMe's private online forums.

PatientsLikeMe managed to block and identify the intruder: Nielsen Co., the privately held New York media-research firm. Nielsen monitors online "buzz" for clients, including major drug makers, which buy data gleaned from the Web to get insight from consumers about their products, Nielsen says.

"I felt totally violated," says Bilal Ahmed, a 33-year-old resident of Sydney, Australia, who used PatientsLikeMe to connect with other people suffering from depression. He used a pseudonym on the message boards, but his PatientsLikeMe profile linked to his blog, which contains his real name.

After PatientsLikeMe told users about the break-in, Mr. Ahmed deleted all his posts, plus a list of drugs he uses. "It was very disturbing to know that your information is being sold," he says. Nielsen says it no longer scrapes sites requiring an individual account for access, unless it has permission.

Andrew Quilty for The Wall Street Journal.

Bilal Ahmed wrote about his health on a site that was scraped.

The market for personal data about Internet users is booming, and in the vanguard is the practice of "scraping." Firms offer to harvest online conversations and collect personal details from social-networking sites, résumé sites and online forums where people might discuss their lives.

The emerging business of web scraping provides some of the raw material for a rapidly expanding data economy. Marketers spent $7.8 billion on online and offline data in 2009, according to the New York management consulting firm Winterberry Group LLC. Spending on data from online sources is set to more than double, to $840 million in 2012 from $410 million in 2009.

The Wall Street Journal's examination of scraping—a trade that involves personal information as well as many other types of data—is part of the newspaper's investigation into the business of tracking people's activities online and selling details about their behavior and personal interests.

Some companies collect personal information for detailed background reports on individuals, such as email addresses, cell numbers, photographs and posts on social-network sites.

Others offer what are known as listening services, which monitor in real time hundreds or thousands of news sources, blogs and websites to see what people are saying about specific products or topics.

Chris Detrick for The Wall Street Journal

Some of the computer code behind screen-scraper.com's software.

One such service is offered by Dow Jones & Co., publisher of the Journal. Dow Jones collects data from the Web—which may include personal information contained in news articles and blog postings—that help corporate clients monitor how they are portrayed. It says it doesn't gather information from password-protected parts of sites.

The competition for data is fierce. PatientsLikeMe also sells data about its users. PatientsLikeMe says the data it sells is anonymized, no names attached.

Nielsen spokesman Matt Anchin says the company's reports to its clients include publicly available information.

Medical health records provide key information to researchers, who have lobbied hard to keep them accessible, despite government concerns about the privacy of patient data. The controversy dates back to 1996, when Congress passed the Health Insurance Portability and Accountability Act (HIPAA) to protect patients. "Researchers have very broad access rights to health care records under HIPAA," says Pam Dixon, director of a non-profit called the World Privacy Forum "The rules are pretty loose, and there are a lot of ways to get around them."

That's especially true since the act wasn't designed to cover common scenarios today: records stored online in a vast, hackable cloud. In the rush to digitize all electronic health records, Dixon says not everyone is taking the proper steps to de-personalize the data and protect patients.

All medical records will turn digital by 2014, according to a provision in President Obama's economic stimulus package. This would allow physicians to store patient data in the cloud, making it much easier to connect fragmented medical records, saving time and money.

Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act alongside the stimulus, which is meant to reinforce security as those records go digital. The 2009 stimulus bill also offers financial incentives for companies that create electronic records.

The money in medical recordsThat has caused health care facilities to scramble to find companies that will help them store electronic data. "When there's money, everybody comes out," says Kurt Long, CEO of FairWarning, a company that monitors privacy breaches in electronic health records. But the effort to offer electronic health record services might have outpaced efforts to secure the data. Long says "we've got a wild west here in health care."

A report last week in a Texas watchdog publication called the Austin Bulldog outlined the problems with electronic medial records in the state. According to the report, the Texas Department of State Health Services (DSHS) has been selling de-identified patient data to groups who can prove they would use it for research. Some of the roughly 100 buyers from January 1, 2009, through April 1, 2010 included Blue Cross Blue Shield of Texas, Los Angeles business consulting firm EconOne, and Sanofi Pasteur, the vaccines arm of French pharma giant Sanofi-Aventis. The Texas DSHS charges between $2100 and $5600 per year for data collected after 2007 and under $1000 per year for data collected between 2004 and 2006. Data collected before 2003 is free, and available online.

But de-identification is far from foolproof. The de-identification process can mean changing some of the digits in the patients' zip code, withholding the dates of the hospital visit, and providing an age range instead of patients' actual age. But most records still include diagnoses, gender, address, billing information, and information about patients' next of kin. This leaves plenty of ways to re-identify patients by cross-referencing it with other information on the web. That's easy to do, Long says, "it's certainly not rocket science."

It's not a problem unique to Texas either, according to Deborah Peel, psychiatrist and founder of a watchdog group called Patient Privacy Rights, "I am very certain this is happening in every state," she says. But there's no way to know, says World Privacy Forum's Dixon. The Department of Health and Human Services could launch a national study, but probably doesn't have the resources. Also, states--not the federal government--regulate digital medical record security.

"The problem is that states are massively underfunded," Peel says. They don't have the resources to do this, so they do this stuff without getting any kind of expert advice. They've been incredibly casual with this sensitive data."

Most researchers who buy the data - key to their work -- don't do so with the intention of selling it to bad guys. But the problem is that unencrypted medical data is easily hackable and there's no way of knowing how researchers are safeguarding the data once they buy it. Breaches happen often, says Long, can include anything "as innocent as looking at your neighbor's medical records to employees stealing the identities of patients so they can produce false federal tax returns."

Many hackers are curious, trying to figure out whether their neighbors, celebrities or athletes have a history of alcoholism or mental illness. "We always bust people looking at all those records whenever there's a Super Bowl," Long says.

Past breaches in electronic health record security have also resulted in identity theft, false Medicare and Medicaid claims, and credit card scams.

Cyber security has been playing catch-up, says Long. "There were no laws until HIPAA," which wasn't enforced when it passed in 1996. "It's not until the HITECH stimulus bill passed in 2009 that all of these things became more serious."

Now that safety is starting to be a priority, "there has to be a better balance between privacy needs and researchers needs," Dixon says. "Technology has moved quickly, the regulation was weak to begin with, and now we're in a free for all."

Wednesday, October 6, 2010

A new Office of Personnel Management database designed to track federal employee health benefit plans could put at risk the personal information of participants, according to privacy advocates.

OPM last week announced plans for a database tool to track and evaluate the quality and cost of services provided through the Federal Employees Health Benefits Program. According to an Oct. 5 notice in the Federal Register, the health claims data warehouse will centralize information about FEHBP; the National Pre-Existing Condition Insurance Program, which provides coverage to those denied insurance because of a medical condition; and the Multi-State Option Plan.

The tool will collect information such as the enrollee's name, Social Security number, employment details and information about health care providers, medical diagnoses and insurance coverage. OPM will look at demographic, health and pricing trends across the programs to find ways to reduce costs, the notice said.

Privacy advocates expressed concern the database could violate patient privacy. The notice does not provide details about how the information will be stored securely, nor does it explain how the data will be stripped of identification information before being released for research purposes, said Dr. Deborah Peel, founder of the nonprofit Patient Privacy Rights.

OPM doesn't need a centralized tool to analyze FEHBP information because that data already exists with the plan providers, said Deven McGraw, director of the Health Privacy Project at the nonprofit Center for Democracy and Technology, adding the database presents another opportunity for outsiders to access sensitive information.

"OPM is proposing to create one big, centralized database rather than asking the plans to run analyses and give them the answers," McGraw said. "Records that used to be in one place are now in two."

She suggested OPM require health plans to provide aggregated information rather than the raw data the warehouse tool will collect.

"This could be a condition of participation in FEHBP," McGraw said. "There's no reason why they can't get plans to give them this data ... they have the authority to have queries run by plans without moving data into the middle, thereby exposing the data to risk."

According to the notice, the information could be used in law enforcement proceedings, congressional inquiries or OPM workforce studies. In some cases, individuals could be identified through the data selected, OPM said. Researchers and analysts outside government also could gain access to the information to examine health insurance trends, the notice added. McGraw and Peel both expressed concern that individuals claiming to do research could access sensitive patient data without rules or constraints.

"We do not see adequate safeguards to ensure that the aggregated records are made secure from thieves and are not used as fodder for the health data mining industry," Peel said. "This proposal is irresponsible because those in the database cannot trust that their information is secure and they have no ability to consent to research uses of their data." OPM did not respond to requests for comment.